Written by Dr. Felix Gassmann – chief technical officer, Sauter Group

With the rise of Bitcoin, the digital Internet currency, blockchain technology has suddenly become more than just hype. Internet giants are planning their own digital crypto currencies and threatening the tradional world of key currencies and banks. Alongside these megatrends, SAUTER is taking a dierent approach and is aiming for a more “peaceful” use of blockchain technology  to protect the data and processes used in building automaon


blockchain is a decentralised database that maintains a steadily growing list of records. With Bitcoin, this database is extended with every transaction, thus building a chain that is constantly having new elements or blocks added (hence the term blockchain). When a block is complete, a new one is created containing the digital fingerprint of the previous block. If someone deletes only a single element in this data block chain, the fingerprint of the affected block changes and thus the whole blockchain would break up into the individual links of the chain.

A special feature of Bitcoin is that each transaction is checked again before it is written to the Blockchain. Every computer in the Bitcoin network can see that subscriber A wants to transfer bitcoins to subscriber B. The computers in the network then check whether the transaction complies with the rules and whether A also has enough bitcoins. When, and only when, all participating computers agree that the transaction is valid, it is then entered in the blockchain with the chain permanently securing it against forgery. SAUTER deploys blockchain technology in its own unique way – linking its automation stations in a building network and creating a blockchain ring. The computing resources used and the extra communication data that results are extremely modest. There is no such excessive power consumption, just an increase in data security!

Cyber security in the age of IoT

With the development of its new building automation system, modulo 6, SAUTER has opened the doors to cloud and IoT technology. As buildings are connected to the IoT and the Cloud, system and network security is becoming a major challenge. To overcome this, SAUTER has based the cyber security concept for modulo 6 on the new international standard for industrial automation, IEC 62443. The IEC standard defines seven fundamental requirements and four security levels for cybersecurity (see Tables 1 and 2).

              

  

 

    


    


SAUTER has described the security levels attained by modulo 6 for networks and system components in the modulo 6 Guideline for Cyber Security. This specification allows the current security level to be determined for plants that may require special protection and, if required, to increase these through targeted measures.

uSAUTER Blockchain dashboard – isolaon of a staon Blockchain ring formed by automation stations

modulo 6 had a high level of protection built in from the beginning The automation station offers a completely separate network interface from the building network. This creates a type of firewall between the internet and building network. Encryption, authentication and access protection are guaranteed by proven security technologies (TLS 1.3, IEC802.1X, etc.) and the network interfaces are already well protected against DOS attacks at automation level. Therefore, processes can be observed, limited, isolated or even stopped if needed. modulo 6 is also equipped for the BACnet/SC (BACnet Secure Connect) security standard planned for 2020. This means that the system more than adequately covers IEC basic requirements 1, 2 and 4-7. Only for

requirement 3, ie ensuring system integrity, did Sauter think that existing measures were still unsatisfactory. System integrity could also be described as the “intactness of data” or “protection against unauthorised modification of data”. Examples of this might include changing audited measurement and process data or

interference in automation programs. Such data modifications could even

be caused by the company’s own service staff – unknowingly and completely by accident.

When thinking about the bitcoin and blockchain principle, people initially visualise the security of data transactions or payments. Beneath this dynamic transaction level, however, is a static, distributed blockchain-secured database – a kind of “ledger set in stone of all existing transactions”. SAUTER is now translating this principle into the world of networked building automation and developing its own Blockchain process. The idea is simple: The static data of the automation stations in the network form a kind of Blockchain ring. Each automation station generates its digital fingerprint. This is based on its own data and on a fingerprint of the previous station in the blockchain ring. The block data typically consists of programs, firmware and process and network parameters. Simply put, each station uses its own data to form a block in the blockchain. If the integrity of the data in a station is infringed (deleting or changing a single bit is all that it takes), the blockchain collapses immediately.

In the event of a breach of the Blockchain's integrity, the system's responses are:

a) Only trigger an alarm

b) Trigger alarm and isolate affected station (and assume emergency signal state, for example)

c) Trigger alarm, isolate affected station and initiate automatic self-repair Action c) requires the creation of a digital twin for every station during commissioning. These twins (a copy of all static data) are saved in an encrypted database. They can then be stored on a dedicated automation station, local computer or in a data centre / the cloud. An advanced procedure for this approach allows us to distribute the 'twins' randomly among the existing stations, completely removing the need for an additional database computer.

The self-repair process is particularly useful, especially during routine servicing. If an automation station is replaced, the data validated during commissioning is guaranteed to be transferred uncompromised. The procedure has now been submitted as a patent and passed an international patent search. SAUTER has thus achieved a unique security level for the important system integrity requirement stipulated by IEC 62443.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50